Risks attach to what they actually affect — process, vendor, application, location, or the organisation. Inherent + residual scoring. Reusable scenario library shared with the exercise programme. Critical-asset linkage. KRI tracking.
A SAN-failure risk targets a location · a vendor-outage risk targets a vendor · a regulatory-breach risk targets a process. Each renders contextually with the right cross-links.
Each risk carries inherent and residual likelihood × impact (1-5). The treatments register tracks what moved the residual. The heatmap shows both side-by-side — auditors see the gap between gross and net.
Scenarios = risk archetypes. 'Ransomware on Core Banking' · 'SAN failure DC1' · 'Critical-vendor SWIFT outage'. Risks reference scenarios. Exercise programmes use scenarios. One source of truth across modules.
Information assets, infrastructure, key staff. Each linked to risks via critical_asset_risk_links. The asset-centric view answers 'what risks does my Core Banking system carry?'
Each treatment has type (accept · transfer · mitigate · avoid), owner, due date, status, verification. Linked to the risk it addresses; the verified_at timestamp is the audit-evidence anchor.
Top-N risks by residual · risks by category · treatments overdue · scenario coverage across the exercise programme. Rolls up to the cross-module reporting dashboard.
public.risks| Column | Type | Clause | Note |
|---|---|---|---|
| code | varchar(50) | Human-readable code (e.g., RISK-CYBER-001) | |
| name | varchar(255) | Risk title | |
| category | varchar(50) | operational · technological · regulatory · reputational · strategic · environmental | |
| target_type | enum | process · vendor · application · location · organisation — polymorphic | |
| target_id | uuid | FK to the table indicated by target_type (CHECK-enforced) | |
| inherent_likelihood | int | 1-5 before treatment | |
| inherent_impact | int | 1-5 before treatment | |
| residual_likelihood | int | 1-5 after treatment | |
| residual_impact | int | 1-5 after treatment | |
| scenario_id | uuid | FK scenarios — links to reusable archetype | |
| owner_id | uuid | FK users — accountable risk owner |
public.risk_treatments| Column | Type | Clause | Note |
|---|---|---|---|
| treatment_type | varchar(50) | accept · transfer · mitigate · avoid | |
| description | text | What the treatment does | |
| status | varchar(50) | planned · in_progress · implemented · verified | |
| owner_id | uuid | Treatment owner (often differs from risk owner) | |
| due_date | date | Target completion | |
| verified_at | timestamptz | When effectiveness was confirmed |
| Clause | What it asks for | BCMStack surface |
|---|---|---|
| §6.1 | Risks and opportunities — formal register | risks table with polymorphic targets |
| §6.1.2 | Risk treatment options | risk_treatments — 4 treatment types |
| ISO 31000 | Risk-management process alignment | Inherent + residual scoring; full risk lifecycle |
| §8.2 | Risk feeds into BIA | scenario_bia_process_links — risks attached to BIA processes |
| §8.3 | Strategies derived from risk treatments | Treatments inform BCP plan strategy types |
How the Risk module compares to peer platforms
Most risk registers force you to pick one 'attached to' field — usually a process. BCMStack's risks table has a polymorphic target_type + target_id that can point to a process, vendor, application, location, or the organisation as a whole. A SAN-failure risk targets a location; a third-party-outage risk targets a vendor; a regulatory-breach risk targets a process. Each renders contextually.
Each risk has inherent_likelihood, inherent_impact, residual_likelihood, residual_impact (each 1-5) plus the calculated inherent_score and residual_score. The treatments table tracks what's been done to move from inherent to residual. The heatmap renders both — auditors can see the gap between gross and net.
Scenarios are reusable risk archetypes — 'Ransomware on Core Banking', 'SAN failure DC1', 'Critical-vendor SWIFT outage'. Each scenario carries typical_likelihood, typical_impact, scenario_type, coverage_tags. Risks reference scenarios. Exercise programmes also use scenarios. One source of truth across modules.
Top-N risks by residual score · risks by category · treatments overdue · risks past target review date · scenario coverage across the exercise programme. The reporting dashboard rolls these up across the organisation; the risk module's own dashboard shows them per-tenant.